avast! antivirus blog

The Android:FakeInst family of malware seems to be never ending story. Its creators have been trying to trick users into sending premium rate SMS messages for several months now. Just a few days ago, we discovered 25 more apps placed on alternative markets that are all based on very similar concepts as was the one in the story we wrote about before Christmas.

This time malicious Android applications are hosted on several domains:

Don’t worry, we’re not gonna watch movies marked with an asterisk . However, from the malware analyst’s point of view, following lines might be somehow “spicy”. We’ll take a look at a suspected false positive promoted as a regular GameMaster setup. The file appeared in our FP submission system with an usual comment “it’s clean” or something like that, thus we can only guess that the file has not been obtained from official source.

The submitted binary was detected as Win32:MalOb-II, but the particular infected file was not the setup itself (the topmost layer), but an included file FlashPlayer.exe (under InnoSetup {app} subfolder). So, if we want to analyse it, we must unpack the setup. FlashPlayer.exe has an icon stolen from WinRar archiver – that’s the first suspicious sign. It contains a lot of high-entropic data – another suspicious sign. This data block gets my attention – I’m curious what’s inside. And here we go: after a little bit of tracing, a dynamically allocated block of memory appears and guess what – it contains another executable binary (which is not dumped to the disc but directly executed). Great, another layer . Let’s dump this binary and take a detailed look at it. It contains high-entropic (encrypted) data as well, so let’s emulate it and see what’s inside. Bingo! It’s another executable binary, this time it is dumped to disc under a randomly generated name (it’s a dll). We can compare it to a typical matryoshka, as we go deeper and deeper through the layers. For those, who didn’t catch the flow of informations: is it better with the image below?

Still nothing? Ok, sorry . For those, who are still on the track: the initial setup file has a detection coverage lower than 35%, which is frankly a bad overall result. Go deeper! The fake FlashPlayer.exe gets much better score going close to 83%. Go deeper! The binary executed directly from memory gets again a lower detection ratio (an on-demand scan of the dump). Go deeper! And the detection ratio finally raises up to 75% for the last dropped binary. More details from the particular VT scans can be found here:

https://www.virustotal.com/file/bf66869e434a91cbdbc1410ec80915e5da91e2d6a1a4829ddaae6a998cd218bd/analysis/1336729518/

https://www.virustotal.com/file/1d7c19ca92c36997fb15b7f0483079b9fe6880ce2c59a96258b23e6d4e094e73/analysis/1336742483/

https://www.virustotal.com/file/5e69427b0062302b5b7bc9e95ff1439dff61e10c77b911d075e49d9b72335582/analysis/1336742673/

https://www.virustotal.com/file/e9a96a4a5c22ac94335871778e2aee0c0f74aeb17758f35ae3d5c93635e25f69/analysis/1336743210/

As you can see, all layers of this matryoschka “smell” like Vundo, which is definitely nothing what someone wants to install along with GameMaster. Leaving the binary as it is could raise a false feeling of safety – it’s a normally looking setup from outside, but if you can look inside and aggregate the suspicious signs with detection ratios, you can definitely say: “not a FP, next please”.

Pls, let me know – are such insights to our daily work interesting for you?

To celebrate the release of avast! version 7, we offered a contest on our Facebook page, in which we asked participants to estimate how many active avast! users there would be as of April 30, 2012. Out of the 23,553 avast! users that entered the contest, 8 participants provided us with the PRECISE number of avast! users as of April 30, 2012.

During the contest, we received a few (silly) estimates that ranged from a high of 202,020,302,050,206… down to a negative 156,000,000,000,000. With guesses like that, we didn’t expect 8 people to be so lucky!

Here is a list of the participants who provided us with the exact number and the time and date of their entries:

Name	Country	Estimate	Date of Entry
Daniel Felipe S.	Brazil	150,107,324	Mar102012 18:50
Luci M.	USA	150,107,324	Mar162012 21:52
Rodrigo T.	Brazil	150,107,324	Mar172012 05:03
Edilbert Magahi O.	Philippine	150,107,324	Mar192012 03:56
Yalç?n	Turkey	150,107,324	Mar232012 04:18
Konstatnin O.	Ukraine	150,107,324	Mar302012 09:10
Maiel R.	Dominican Republic	150,107,324	Mar312012 16:06
Ravi K.	India	150,107,324	Apr032012 17:13

Among them, Daniel from Maceió, Alagoas, in Brazil, was the first correct participant to respond, with his entry made on March 10, 2012 at 6:50 PM CET.

Daniel, we are looking forward to getting in touch with you, to discuss where you want to plan your holidays!

 

Imagine a program that scans your computer, detects some errors, and offers to fix them. There are many legitimate programs that do this (for example, antivirus programs), but there are also many fake programs, which do nothing beneficial – they just pretend to do a scan of your computer, they pretend to fix some errors, but in reality there are no errors and nothing is being fixed. You didn’t install such a program, you don’t even know how it got installed on your computer.  It’s just there, wanting to trick you to buy a license.

Have you ever wondered what happens when you “buy” the activation key? Will the program really do something for you, will it just disappear… or, maybe, it will keep annoying you. Let’s look at a program called “S.M.A.R.T. Repair”.

Figure 1

 

If we execute the “S.M.A.R.T. Repair”, it disappears from its original location and copies itself into “Documents and Settings” under a randomly generated name, for example “@t)f9K70Sh&Z^.exe” (see figure 2) – this is the first sign of a suspicious behavior.

Figure 2

 

The second suspicious sign is that you are not able to exit the application in a normal way. If you press the ‘X’ in the top right corner, it only minimizes. If you right click “S.M.A.R.T. Repair” icon in the tray, there is no exit option (see figure 3).

Figure 3

 

When the main window appears, the program immediately starts scanning your hard disk (see figure 2). After a while, the scan finishes and a diagnosis report displays.  Then, some users might get scared from the possibility of losing their data, so they click “Repair 7 Issues” and the screen in figure 4 appears.

Figure 4

 

Ideal for malware creators, the user often clicks “Buy license now”, gives his/her credit card number, gets an activation key, clicks “I already have an activation code. Click here to activate” and enters the activation number.

Anyway, people, who are fans of reverse engineering already know there is another (cheaper ) way. We skip the “Buy license now” step and go directly to “I already have an activation code”. Enter arbitrary email and activation number (in our case email: aaa, activation number: 123456), press “Activate” and, not surprisingly, a red message displays “The code is invalid. Please contact the support service” (figure 5).

Figure 5

We open our favorite debugger (tool used to test and debug other programs), attach it to the weirdly named program “@t)f9K70Sh&Z^.exe”, set breakpoint at USER32.GetWindowsTextA/W (OS function, which is able to read contents of text fields), then click “Activate”.  The debugger stops once (to read the email text field), then stops again to read the activation key field, then it displays a message that says the activation code is invalid. After the first debugger stop, we may see the same screen as in figure 6.

Figure 6

Then we step through the program until we find something like in figure 7. There is a call to “strstr” function which according to documentation “returns a pointer to the first occurrence of a search string in a string”. In our case, it tests whether string “08869246386344953972969146034087” is contained within string “123456” (the string we entered to activation key field).

Figure 7

Therefore, try to guess what happens when we insert “08869246386344953972969146034087” into the activation key field (figure 8). Yes, we are registered now.

Figure 8

 

After successful registration, the program also opens notepad with the following text:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Thank you for purchasing Data Recovery!

Your activation code: 08869246386344953972969146034087

You can always download your activated program through this link: http://www.backup-download-license.com/support/backup/download/setup_data_recovery.exe (for example, if you need to reinstall your operating system).

Also you can use it to install on any other computer.

For any questions please contact us at Customer Support section or call +1-888-717-7595 (USA/Canada tollfree number), +44-186-552-1441 (UK landline number for international calls).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the above displayed text snippet, we can see the reference to www.backup-download-license.com – it is hosted at IP address 31.184.244.15. According to various IP location tools, this server is located in United Arab Emirates, but belongs to ISP Petersburg Internet Network, Saint-Petersburg, Russia. However, not only one address is hosted at this IP address. There are several more – download-backup-license.com, license-backup-download.com, licensepos.com, licenseres.com, licensetoc.com, ns1.yourordergete.com. All domains were registered on the dates 2012-04-25 or 2012-04-02, by registrar BIZCN.COM, which is a Chinese fraudulent domain registrar. License-backup-download.com also contains an interesting information in Registrant Contact – “Privacy-Protect.cn”, which is a known domain related to a fake antivirus program.

Anyway, these are not the only URLs that we encountered during our research. The application tries to connect to several more URLs, which are hidden from users without a special monitoring tool. The following table shows URL, date of registration, name of domain registrar, and the last column shows in which country the actual server that the domain points to is located.

meijeroneca.com                           10-apr-2012         BIZCN    Netherlands

whatisadebima.com                      16-apr-2012         BIZCN    Sweden

pliesamdalu.com                            26-apr-2012        BIZCN    Moldova

psardcreator.com                           22-mar-2012       BIZCN    Romania
nardelfire.com                                17-apr-2012         BIZCN    Switzerland

 

After entering the correct activation key and pressing “OK”, the program “fixes” all problems with your hard disk (figure 9), asks you to restart your computer (figure 10), after reboot scans your computer again, and now finds no more errors (figure 11). It even becomes possible to exit the application by right-clicking the tray icon (figure 12).

Figure 9

Figure 10

Figure 11

Figure 12

 

Now, you can click “Quit” and get rid of this annoying piece of software.

 

Conclusion:

S.M.A.R.T. Repair is fake scanning tool often detected as Win32:FakeSysdef. It pretends to scan your computer and fix errors, but in reality it does nothing – it only displays something on the screen. You can’t exit the application normally if you don’t have an activation key. Through the analysis above, we have seen that its protection scheme is not very strong. An activation key can be seen in plain text. It is important to mention that these activation keys change very often, so it does not have to work for all FakeSysdef samples. However, the method for obtaining activation keys is always more or less the same. S.M.A.R.T. Repair contains references to several domains, which are registered by a suspicious Chinese domain registrar and are hosted on servers all around the world. Our recommendation: STAY AWAY FROM THIS APP.

avast! Free Antivirus for Mac was launched a mere week ago, and it only took three days to reach the #1 position on CNET’s download.com. avast! Free Antivirus for Mac fulfills the need for quality security just as the Mac community is recovering from the high-profile Flashback Trojan that infected 600,000 Macs. Many people realize now that OS X is not immune to attack, and new OS X malware is demonstrating how unprotected Macs can be infected when a user simply visits a website.

avast! Free Antivirus for Mac contains the same light, award-winning, certified, and highly acclaimed antivirus and anti-spyware engine as its avast! version 7 Windows counterpart. Learn more about it here.

Win a MacBook Air

Thanks to loyal avast! users like you, avast! is the most liked antivirus on Facebook. As of this writing, we have over 1.1 million likes and rising. Thanks, avast! fans.

Like avast! on Facebook and enter to win a MacBook Air! Take a photo of yourself with an apple and submit it to our contest by Friday, May 18. You must be a registered avast! user and a fan of avast! on Facebook. After the photos are in, the fun begins when all the participants vote for their top 5 favorite photos. Those five will each win a MacBook Air! So get those apples polished and cameras snapping. We want your best photo!

Mac computers running the beta version of avast! Free Antivirus for Mac were not infected by the Flashback Trojan.

“We’ve confirmed our app’s detection abilities for Flashback within the test lab and with reports from our beta testers,” says Jiri Sejtko, director of AVAST Virus Lab operations.

The Flashback Trojan linked to the Mac botnet is a derivative of last year’s DevilRobber Mac OS X Trojan. The AVAST Virus Lab now has 18 variants of this malware in its antivirus database.

“With an estimated 600,000 infected Macs, this botnet is just a large example that the Apple operating system is not immune from malware,” said Jiri. “Add a growing market share that makes Mac an attractive target for the bad guys together with a user base that insists they do not need a security app – you have all the conditions in place for an epidemic to rip through.”

The latest Flashback variants can infect vulnerable Macs without requiring the victim to enter a password. “Mac malware has historically been dependent on social engineering – convincing the user to enter the required password. Now these days are over and Mac users can pick up malware just by visiting an infected website,” adds Jiri. “Welcome to the real world.”

Flashback is a logical step in Mac malware’s steady evolution, he points out. Initial malware samples were rather simple, just compiler-generated code, with no encryption whatsoever, but it has since evolved to be more “custom”, with encrypted strings and code, and structured to avoid security apps like LittleSnitch(firewall software for Mac OS) or Apple’s XProtect. During 2011, there were some large-scale attempts to spread Mac malware via Google Image poisoning.

“It takes 1-2 years for malware guys to adapt to a new technology – it took a similar time when they switched from DOS to Windows. This latest botnet did not fall out of the clear blue sky. The conditions have been building for some time and I’m glad that our security app will soon be available for Mac users,” says Jiri.

avast! Free Antivirus for Mac is currently in the late  BETA stage. It includes the latest avast! antivirus engine, three shields (Web, File, and Mail) and the WebRep reputation and anti-phishing plugin for Safari browser. avast! Free Antivirus for Mac builds on the AVAST Software tradition of providing a full-fledged security app which is completely free. More details coming very soon.